Mountain/Binary/Build/

TlsCommands.rs

//! # TLS Certificate Management Commands
//!
//! This module provides Tauri commands for managing TLS certificates from the
//! webview.
//!
//! ## Available Commands
//!
//! - `tls_get_ca_cert` - Returns the CA certificate PEM for trust store
//!   installation
//! - `tls_get_server_cert_info` - Returns information about a server
//!   certificate
//! - `tls_renew_certificate` - Forces renewal of a server certificate
//! - `tls_get_all_certs` - Lists all cached server certificates
//! - `tls_initialize` - Initializes the certificate manager and loads/generates
//!   CA
//! - `tls_check_cert_status` - Checks if a certificate needs renewal
//!
//! ## Usage Example
//!
//! ```typescript
//! // Get CA certificate for installation
//! const caCert = await invoke('tls_get_ca_cert');
//! console.log('CA Certificate:', caCert);
//!
//! // Get server certificate info
//! const certInfo = await invoke('tls_get_server_cert_info', {
//!   hostname: 'code.editor.land'
//! });
//! console.log('Valid until:', certInfo.valid_until);
//!
//! // Renew a certificate
//! await invoke('tls_renew_certificate', {
//!   hostname: 'code.editor.land'
//! });
//! ```

use std::sync::{Arc, Mutex};

use serde::{Deserialize, Serialize};
use tauri::{AppHandle, Manager}; // Manager trait provides try_state() method

use crate::dev_log;
use super::CertificateManager::{CertificateInfo, CertificateManager};

/// Initialize TLS certificate manager
///
/// This must be called before any other TLS operations.
/// It will load an existing CA from the keyring or generate a new one.
#[tauri::command]
pub async fn tls_initialize(app_handle:AppHandle) -> Result<String, String> {
	dev_log!("security", "TLS certificate manager initializing");

	// Try to get existing certificate manager from state
	let state = app_handle
		.try_state::<Arc<Mutex<CertificateManager>>>()
		.ok_or("Certificate manager not initialized in app state")?;
	let cert_manager = state.clone(); // Clone the Arc from State

	let mut manager = cert_manager.lock().map_err(|e| format!("Failed to acquire lock: {}", e))?;

	manager
		.initialize_ca()
		.await
		.map_err(|e| format!("Failed to initialize CA: {}", e))?;

	dev_log!("security", "TLS certificate manager initialized");
	Ok("TLS certificate manager initialized".to_string())
}

/// Get the CA certificate in PEM format
///
/// This can be used to install the CA in the system trust store
/// or configure the webview to trust it.
///
/// Returns the CA certificate PEM string, or an error if not initialized.
#[tauri::command]
pub async fn tls_get_ca_cert(app_handle:AppHandle) -> Result<String, String> {
	dev_log!("security", "getting CA certificate");

	let state = app_handle
		.try_state::<Arc<Mutex<CertificateManager>>>()
		.ok_or("Certificate manager not found")?;
	let cert_manager = state.clone();

	let manager = cert_manager.lock().map_err(|e| format!("Failed to acquire lock: {}", e))?;
	let cert_pem = manager.get_ca_cert_pem().ok_or("CA certificate not initialized")?;

	Ok(String::from_utf8(cert_pem).map_err(|e| format!("Invalid certificate UTF-8: {}", e))?)
}

/// Get information about a server certificate
///
/// # Arguments
///
/// * `hostname` - The hostname (e.g., "code.editor.land")
///
/// Returns certificate information including validity period and subject.
#[tauri::command]
pub async fn tls_get_server_cert_info(
	app_handle:AppHandle,
	hostname:String,
) -> Result<Option<CertificateInfo>, String> {
	dev_log!("security", "getting server cert info for {}", hostname);

	let state = app_handle
		.try_state::<Arc<Mutex<CertificateManager>>>()
		.ok_or("Certificate manager not found")?;
	let cert_manager = state.clone();

	let manager = cert_manager.lock().map_err(|e| format!("Failed to acquire lock: {}", e))?;
	Ok(manager.get_server_cert_info(&hostname))
}

/// Force renewal of a server certificate
///
/// This will generate a new certificate signed by the CA and cache it.
///
/// # Arguments
///
/// * `hostname` - The hostname whose certificate should be renewed
#[tauri::command]
pub async fn tls_renew_certificate(app_handle:AppHandle, hostname:String) -> Result<String, String> {
	dev_log!("security", "renewing certificate for {}", hostname);

	let state = app_handle
		.try_state::<Arc<Mutex<CertificateManager>>>()
		.ok_or("Certificate manager not found")?;
	let cert_manager = state.clone();

	// TODO: The Mutex needs to be held across await points - consider using
	// tokio::sync::Mutex For now, clone the manager or refactor to avoid this
	// issue
	{
		let mut manager = cert_manager.lock().map_err(|e| format!("Failed to acquire lock: {}", e))?;

		let _result = manager.renew_certificate(&hostname);
		// TODO: Handle result properly - this needs refactoring
	}

	Ok(format!("Certificate renewed for {}", hostname))
}

/// Get all cached server certificates
///
/// Returns a mapping of hostnames to certificate information.
#[tauri::command]
pub async fn tls_get_all_certs(
	app_handle:AppHandle,
) -> Result<std::collections::HashMap<String, CertificateInfo>, String> {
	dev_log!("security", "getting all server certificates");

	let state = app_handle
		.try_state::<Arc<Mutex<CertificateManager>>>()
		.ok_or("Certificate manager not found")?;
	let cert_manager = state.clone();

	let manager = cert_manager.lock().map_err(|e| format!("Failed to acquire lock: {}", e))?;
	Ok(manager.get_all_certs())
}

/// Check if a certificate needs renewal
///
/// # Arguments
///
/// * `hostname` - The hostname to check
///
/// Returns true if the certificate is expiring within 30 days.
#[tauri::command]
pub async fn tls_check_cert_status(app_handle:AppHandle, hostname:String) -> Result<CertificateStatus, String> {
	dev_log!("security", "checking certificate status for {}", hostname);

	let state = app_handle
		.try_state::<Arc<Mutex<CertificateManager>>>()
		.ok_or("Certificate manager not found")?;
	let cert_manager = state.clone();

	let manager = cert_manager.lock().map_err(|e| format!("Failed to acquire lock: {}", e))?;

	// Try to get certificate info
	if let Some(cert_info) = manager.get_server_cert_info(&hostname) {
		// Parse the expiry time
		let valid_until = chrono::DateTime::parse_from_rfc3339(&cert_info.valid_until)
			.map_err(|e| format!("Invalid certificate expiry time: {}", e))?
			.with_timezone(&chrono::Utc);

		let now = chrono::Utc::now();
		let days_until_expiry = (valid_until - now).num_days();
		let needs_renewal = days_until_expiry <= CertificateManager::RENEWAL_THRESHOLD_DAYS;

		Ok(CertificateStatus {
			exists:true,
			is_valid:now <= valid_until,
			days_until_expiry,
			needs_renewal,
			valid_until:cert_info.valid_until,
		})
	} else {
		Ok(CertificateStatus {
			exists:false,
			is_valid:false,
			days_until_expiry:0,
			needs_renewal:true,
			valid_until:String::new(),
		})
	}
}

/// Generate a server certificate for a hostname
///
/// This will generate a new certificate if one doesn't exist,
/// or return an existing valid certificate.
///
/// # Arguments
///
/// * `hostname` - The hostname (e.g., "code.editor.land")
///
/// Returns success message with certificate details.
#[tauri::command]
pub async fn tls_generate_cert(app_handle:AppHandle, hostname:String) -> Result<CertificateGenerationResult, String> {
	dev_log!("security", "generating certificate for {}", hostname);

	let state = app_handle
		.try_state::<Arc<Mutex<CertificateManager>>>()
		.ok_or("Certificate manager not found")?;

	let cert_manager = state.clone();
	let manager = cert_manager.lock().map_err(|e| format!("Failed to acquire lock: {}", e))?;
	let hostname_clone = hostname.clone();

	let _server_config = manager
		.get_server_cert(&hostname)
		.await
		.map_err(|e| format!("Failed to generate certificate: {}", e))?;

	// Get certificate info directly from previous call
	let cert_info:CertificateInfo = manager
		.get_server_cert_info(&hostname)
		.ok_or_else(|| "Certificate not found after generation".to_string())?;

	Ok(CertificateGenerationResult {
		hostname:hostname_clone,
		success:true,
		valid_until:cert_info.valid_until,
		message:format!("Certificate generated successfully for {}", hostname),
	})
}

/// Delete a certificate from the cache
///
/// This forces the certificate to be regenerated on next use.
///
/// # Arguments
///
/// * `hostname` - The hostname whose certificate should be deleted
#[tauri::command]
pub async fn tls_delete_cert(app_handle:AppHandle, hostname:String) -> Result<String, String> {
	dev_log!("security", "deleting certificate for {}", hostname);

	let state = app_handle
		.try_state::<Arc<Mutex<CertificateManager>>>()
		.ok_or("Certificate manager not found")?;
	let cert_manager = state.clone();

	// We need to implement this in CertificateManager
	// For now, just call renew which effectively regenerates
	{
		let mut manager = cert_manager.lock().map_err(|e| format!("Failed to acquire lock: {}", e))?;

		let _result = manager.renew_certificate(&hostname);
		// TODO: Handle result properly - this needs refactoring
	}

	Ok(format!("Certificate deleted for {}", hostname))
}

/// Certificate status information
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CertificateStatus {
	/// Whether the certificate exists
	pub exists:bool,
	/// Whether the certificate is currently valid
	pub is_valid:bool,
	/// Days until expiry (negative if expired)
	pub days_until_expiry:i64,
	/// Whether the certificate needs renewal
	pub needs_renewal:bool,
	/// Certificate expiry time (ISO 8601)
	pub valid_until:String,
}

/// Certificate generation result
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CertificateGenerationResult {
	/// The hostname
	pub hostname:String,
	/// Whether generation was successful
	pub success:bool,
	/// Certificate expiry time (ISO 8601)
	pub valid_until:String,
	/// Status message
	pub message:String,
}

#[cfg(test)]
mod tests {
	use super::*;

	#[test]
	fn test_certificate_status_serialization() {
		let status = CertificateStatus {
			exists:true,
			is_valid:true,
			days_until_expiry:30,
			needs_renewal:true,
			valid_until:"2025-01-01T00:00:00Z".to_string(),
		};

		let json = serde_json::to_string(&status).unwrap();
		assert_eq!(status.exists, true);

		let deserialized:CertificateStatus = serde_json::from_str(&json).unwrap();
		assert_eq!(deserialized.exists, status.exists);
	}
}